Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601)

By Mike Meyers and Scott Jernigan

An up-to-date CompTIA Security+ exam guide from training and exam preparation guru Mike Meyers

Take the latest version of the CompTIA Security+ exam (exam SY0-601) with confidence using the comprehensive information contained in this highly effective self-study resource. Like the test, the guide goes beyond knowledge application and is designed to ensure that security personnel anticipate security risks and guard against them.

In Mike Meyers’ CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601), the bestselling author and leading authority on CompTIA A+ certification brings his proven methodology to IT security. Mike covers all exam objectives in small, digestible modules that allow you to focus on individual skills as you move through a broad and complex set of skills and concepts. The book features hundreds of accurate practice questions as well as a toolbox of the author’s favorite network security related freeware/shareware.

• Provides complete coverage of every objective for exam SY0-601
• Online content includes 20+ lab simulations, video training, a PDF glossary, and 180 practice questions
• Written by computer security and certification experts Mike Meyers and Scott Jernigan

• Language: English
• Publisher: McGraw-Hill Education
• Release date: May 7, 2021
• ISBN: 9781260473704

Book preview

ABOUT THE AUTHORS

Mike Meyers, CompTIA A+, CompTIA Network+, CompTIA Security+, is the industry’s leading authority on CompTIA certifications and the best-selling author of ten editions of CompTIA A+ Certification All-in-One Exam Guide (McGraw Hill). He is the president and founder of Total Seminars, LLC, a major provider of PC and network repair seminars for thousands of organizations throughout the world, and a member of CompTIA.

Scott Jernigan, CompTIA ITF+, CompTIA A+, CompTIA Network+, CompTIA Security+, MCP, is the author or co-author (with Mike Meyers) of over two dozen IT certification books, including CompTIA IT Fundamentals (ITF+) Certification All-in-One Exam Guide (McGraw Hill). He has taught seminars on building, fixing, and securing computers and networks all over the United States, including stints at the FBI Academy in Quantico, Virginia, and the UN Headquarters in New York City, New York.

About the Technical Editor

Matt Walker is currently a member of the Cyber Security Infrastructure team at Kennedy Space Center with DB Consulting. An IT security and education professional for more than 20 years, he has served in multiple positions ranging from director of the Network Training Center and a curriculum lead/senior instructor for Cisco Networking Academy on Ramstein AB, Germany, to instructor supervisor and senior instructor at Dynetics, Inc., in Huntsville, Alabama, providing onsite certification-awarding classes for (ISC)², Cisco, and CompTIA. Matt has written and contributed to numerous technical training books for NASA, Air Education and Training Command, and the US Air Force, as well as commercially (CEH Certified Ethical Hacker All-in-One Exam Guide, now in its fourth edition), and continues to train and write certification and college-level IT and IA security courses.

Copyright © 2021 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

ISBN: 978-1-26-047370-4

MHID:      1-26-047370-8

The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-047369-8, MHID: 1-26-047369-4.

eBook conversion by codeMantra

Version 1.0

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.

Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED AS IS. McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

For the great friends from around the world who shared

this crazy lockdown with us: Andre de Gooyert, Tullowit,

Alice Pozzi, Zak Morrill, Patricia Grace, Jose Braden,

and so many others. Cheers!

—Mike and Scott

CONTENTS AT A GLANCE

Chapter 1 Risk Management

Chapter 2 Cryptography

Chapter 3 Identity and Account Management

Chapter 4 Tools of the Trade

Chapter 5 Securing Individual Systems

Chapter 6 The Basic LAN

Chapter 7 Securing Wireless LANs

Chapter 8 Securing Public Servers

Chapter 9 Securing Dedicated Systems

Chapter 10 Physical Security

Chapter 11 Protocols and Applications

Chapter 12 Testing Infrastructure

Chapter 13 Dealing with Incidents

Appendix A Exam Objective Map

Appendix B About the Online Content

Glossary

Index

CONTENTS

Acknowledgments

Introduction

Chapter 1 Risk Management

Module 1-1: Defining Risk

Asset

Likelihood

Threat Actor

Vulnerability and Threat

Circling Back to the Risk Definition

Vectors

Threat Intelligence

Module 1-2: Risk Management Concepts

Infrastructure

Security Controls

Risk Management Frameworks

Module 1-3: Security Controls

Control Categories

Control Types

Module 1-4: Risk Assessment

Risk Assessment Processes and Concepts

Quantitative Risk Assessment

Qualitative Risk Assessment

Putting It All Together: Risk Analysis

Risk Response

Module 1-5: Business Impact Analysis

BIA Basics

Types of Impact

Locating Critical Resources

Calculating Impact

Calculating Downtime

Module 1-6: Data Security and Data Protection

Organizing Data

Legal and Compliance

Data Destruction

Privacy Breaches

Module 1-7: Personnel Risk and Policies

Hiring

Onboarding

Personnel Management Policies

Training

Policies

User Habits

Offboarding

Module 1-8: Third-Party Risk and Policies

Third-Party Risk Management

Agreement Types

Questions

Answers

Chapter 2 Cryptography

Module 2-1: Cryptography Basics

Essential Building Blocks

Early Cryptography

Cryptography Components

Module 2-2: Cryptographic Methods

Symmetric Cryptography

Asymmetric Cryptography

Hashing

Limitations in Symmetric vs. Asymmetric Cryptography

Hybrid Cryptography

The Perfect Cryptosystem

Module 2-3: Symmetric Cryptosystems

DES

3DES

AES

Blowfish

Twofish

RC4

Summary of Symmetric Algorithm Characteristics

Module 2-4: Asymmetric Cryptosystems

RSA

Diffie-Hellman

PGP/GPG

ECC

ElGamal

Module 2-5: Hashing Algorithms

Hashing Process

MD5

SHA

RIPEMD

HMAC

Module 2-6: Digital Signatures and Certificates

Digital Signatures

Digital Certificates

Module 2-7: Public Key Infrastructure

Keys, Algorithms, and Standards

PKI Services

Digital Certificates and PKI Structure

Key Safety

Trust Models

Module 2-8: Cryptographic Attacks

Attack Strategies

Attackable Data

Attack Scenarios

Defending Password Storage

Other Attack Options

Module 2-9: Other Cryptosystems

Homomorphic Encryption

Blockchain

Quantum Cryptography

Questions

Answers

Chapter 3 Identity and Account Management

Module 3-1: Understanding Authentication

Identification and AAA

Identification and Authentication

Authorization

Accounting

Trust

Module 3-2: Authentication Methods and Access Controls

Authentication Methods

Biometrics

Authorization and Access Control Schemes/Models

Module 3-3: Account Management

User Accounts

Account Policies

Account Administration

Module 3-4: Point-to-Point Authentication

PAP

CHAP/MS-CHAP

Remote Access Connection and Authentication Services

Module 3-5: Network Authentication

The Challenge of LAN Access Management

Microsoft Networking

LDAP and Secure LDAP

Module 3-6: Identity Management Systems

Trust

Shared Authentication Schemes

Questions

Answers

Chapter 4 Tools of the Trade

Module 4-1: Operating System Utilities

Network Reconnaissance and Discovery

File Manipulation

Shell and Script Environments

Module 4-2: Network Scanners

Scanning Methods

Scanning Targets

Scanner Types

Module 4-3: Protocol Analyzers

Why Protocol Analyze?

Wireshark

tcpdump

Module 4-4: Monitoring Networks

Exploring Log Files

Centralizing Log Files

Security Information and Event Management

Log File Management

Questions

Answers

Chapter 5 Securing Individual Systems

Module 5-1: Types of System Attacks

Attacking Applications

Driver Manipulation

Malicious Code or Script Execution

Module 5-2: Malware

Virus

Cryptomalware/Ransomware

Worm

Trojan Horse

Potentially Unwanted Programs

Bots/Botnets

Logic Bomb

Keylogger

RAT

Rootkit

Backdoor

Module 5-3: Cybersecurity Resilience

Non-persistence

Redundancy

Diversity

Module 5-4: Securing Hardware

Physical Attacks

Securing the Systems

Securing Boot Integrity

Module 5-5: Securing Endpoints

Hardening Operating Systems

Anti-malware

Data Execution Prevention

File Integrity Monitors

Data Loss Prevention

Module 5-6: System Recycling

Clear

Purge

Destroy

Questions

Answers

Chapter 6 The Basic LAN

Module 6-1: Layer 2 LAN Attacks

ARP Poisoning

Man-in-the-Middle Attacks

MAC Flooding

MAC Cloning

Module 6-2: Organizing LANs

Configuration Management

Network Segmentation

Load Balancing

Module 6-3: Implementing Secure Network Designs

Securing the LAN

Internet Connection Firewalls

Securing Servers

Module 6-4: Virtual Private Networks

How VPNs Work

Early VPNs

IPsec VPNs

TLS VPNs

Module 6-5: Network-Based Intrusion Detection/Prevention

Detection vs. Prevention

Detecting Attacks

Configuring Network-Based IDS/IPS

Monitoring NIDS/NIPS

Endpoint Detection and Response

Questions

Answers

Chapter 7 Securing Wireless LANs

Module 7-1: Networking with 802.11

Wireless Cryptographic Protocols

Wireless Authentication Protocols

Module 7-2: Attacking 802.11

Wireless Survey/Stumbler

Packet Capture

Attack Tools

Rogue Access Point

Jamming

Packet Sniffing

Deauthentication Attack

Near-Field Communication

Replay Attacks

WEP/WPA Attacks

WPS Attacks

Wireless Peripherals

Module 7-3: Securing 802.11

Installation Considerations

Wireless Configuration

Security Posture Assessment

Questions

Answers

Chapter 8 Securing Public Servers

Module 8-1: Attacking and Defending Public Servers

Distributed Denial-of-Service

Route Security

Quality of Service

Monitoring Services

Module 8-2: Virtualization Security

Virtualization Architecture

Containers

Virtualization Risks

Using Virtualization for Security

Module 8-3: Cloud Deployment

Let’s Talk Amazon

Cloud Deployment Models

Cloud Architecture Models

Cloud Growing Pains

Module 8-4: Securing the Cloud

Cloud Security Controls

Unique Cloud Security Solutions

Questions

Answers

Chapter 9 Securing Dedicated Systems

Module 9-1: Embedded, Specialized, and Mobile Systems

Embedded Systems

SCADA/ICS

Internet of Things

Specialized Systems

Mobile Systems

Module 9-2: Connecting to Dedicated Systems

Common Communication Technologies

IoT-Specific Communication Technologies

Module 9-3: Security Constraints for Dedicated Systems

Hardware

Programming

Connectivity

Module 9-4: Implementing Secure Mobile Solutions

Mobile Device Management

Deployment Models

Inventory Control and Asset Tracking

Application Management and Security

Encryption and Authentication

Enforcement and Monitoring for Device Security

Questions

Answers

Chapter 10 Physical Security

Module 10-1: Physical Security Controls

Passive Defensive Systems and Perimeter Controls

Active Alert Systems

Manned Defensive Systems

Module 10-2: Environmental Controls

EMI and RFI Shielding

Fire Suppression

HVAC

Temperature and Humidity Controls

Hot and Cold Aisles

Environmental Monitoring

Questions

Answers

Chapter 11 Secure Protocols and Applications

Module 11-1: Secure Internet Protocols

DNS Security

SNMP

SSH

FTP

SRTP

Module 11-2: Secure Web and E-mail

HTTP

HTTPS

E-mail

Module 11-3: Web Application Attacks

Injection Attacks

Hijacking and Related Attacks

Other Web Application Attacks

Module 11-4: Application Security

Development

Code Quality and Testing

Staging

Production

Quality Assurance

Getting Organized

Module 11-5: Certificates in Security

Certificate Concepts and Components

PKI Concepts

Online vs. Offline CA

PKI TLS Scenario

Types of Certificates

Certificate Formats

Key Escrow

Questions

Answers

Chapter 12 Testing Infrastructure

Module 12-1: Vulnerability Impact

Device/Hardware Vulnerabilities

Configuration Vulnerabilities

Management/Design Vulnerabilities

Module 12-2: Social Engineering

Social Engineering Goals

Principles

Types of Attacks

Module 12-3: Artificial Intelligence

Understanding Artificial Intelligence

Machine Learning Essentials

OSINT

Adversarial Artificial Intelligence

Module 12-4: Security Assessment

Threat Hunting

Vulnerability Scans

Penetration Testing

Module 12-5: Assessment Tools

Protocol Analyzer

Network Scanner

Vulnerability Scanner

Configuration Compliance Scanner

Penetration Testing with Metasploit

Specific Tools Mentioned by CompTIA

Interpreting Security Assessment Tool Results

Questions

Answers

Chapter 13 Dealing with Incidents

Module 13-1: Incident Response

Incident Response Concepts

Incident Response Procedures

Scenarios: Mitigation During and After an Incident

Module 13-2: Digital Forensics

Digital Forensics Concepts

Data Volatility

Critical Forensics Practices

Data Acquisition

Analyzing Evidence

Module 13-3: Continuity of Operations and Disaster Recovery

Risk Management Best Practices

Contingency Planning and Resilience

Functional Recovery Plans

Backup and Restore Plans and Policies

Questions

Answers

Appendix A Exam Objective Map

Exam SY0-601

Appendix B About the Online Content

System Requirements

Your Total Seminars Training Hub Account

Privacy Notice

Single User License Terms and Conditions

TotalTester Online

Other Book Resources

Video Training from Mike Meyers

TotalSim Simulations

Mike’s Cool Tools

Technical Support

Glossary

Index

ACKNOWLEDGMENTS

In general, we’d like to thank our amazing teams at McGraw Hill and KnowledgeWorks Global Ltd. for such excellent support and brilliant work editing, laying out, and publishing this edition. Special shout out to our co-workers at Total Seminars—Michael Smyer, Dave Rush, and Travis Everett—for listening to us rant and providing excellent feedback.

We’d like to acknowledge the many people who contributed their talents to make this book possible:

To Tim Green, our acquisitions editor at McGraw Hill: Thank you for the steady encouragement during this crazy year. You’re the best!

To Matt Walker, technical editor: Excellent working with you! Thanks for laughing at our geeky jokes and sharing great stories.

To Bill McManus, copy editor: What an absolute delight to do this project with you! Your efforts made this a much better book.

To Emily Walters, acquisitions coordinator at McGraw Hill: Thanks for the Friday meetings and slightly menacing cat-on-lap petting. Way to keep us on track!

To Neelu Sahu, project manager at KnowledgeWorks Global Ltd.: Enjoyed working with you, Neelu. Hope the somewhat chaotic pacing wasn’t too stressful!

To Lisa McCoy, proofreader: Fabulous job, thanks!

To Ted Laux, indexer extraordinaire: Well done!

To KnowledgeWorks Global Ltd. compositors: The layout was excellent, thanks!

To Janet Walden, editorial supervisor at McGraw Hill: Great to work with you on this project! Next time we’ll make a few extra changes in page proofs just for you!

To Tom Somers, production supervisor at McGraw Hill: Thanks for waving that magic wand of yours and making so much happen as smoothly as possible.

INTRODUCTION

Most societies teem with a host of networked devices, from servers to smartphones, that provide the backbone for much of modern life. People and companies use these devices to produce and sell products and services, communicate around the globe, educate at every level, and manage the mechanisms of governments everywhere. Networked devices and the complex networks that interconnect them offer advances for humanity on par with, or perhaps beyond, the Agricultural and Industrial Revolutions. That’s the good news.

The bad news is the fact that reliance on these devices creates a security risk to the resources placed on them. Networks can lose critical data and connections, both of which equate to loss of energy, confidence, time, and money. To paraphrase a few words from the American statesman, James Madison, if humans were angels, there’d be no need for security professionals. But humans are at best negligent and at worst petty, vindictive, and astoundingly creative in pursuit of your money and secrets.

Networked devices and the networks that interconnect them need security professionals to stand guard. The need for security professionals in information technology (IT) far outstrips demand, and we assume that’s why you picked up this book. You see the trend and want to take the first step to becoming an IT security professional by attaining the acknowledged first security certification to get CompTIA Security+.

This introduction starts with an overview of the goals of security, to put a framework around everything you’re going to learn. Second, we’ll discuss the CompTIA Security+ certification and look at exam details. Finally, this introduction details the overall structure of the book, providing a roadmap for studying for the exam.

Goals of Security

Traditional computer security theory balances among three critical elements: functionality, security, and the resources available to ensure both. From a functionality standpoint, systems must function as people need them to function to process the data needed. Users and other systems need to interface with systems and data seamlessly to get work done. Don’t confuse functionality with free rein. Allowing users to do whatever they wish with systems and data may result in loss, theft, or destruction of systems and data. Therefore, functionality must balance with security.

From the security standpoint, however, increasing the levels of protection for systems and data usually reduces functionality. Introducing security mechanisms and procedures into the mix doesn’t always allow users to see or interact with data and systems the way they would like. This usually means a reduction in functionality to some degree.

To add another wrinkle, the resources expended toward functionality and security, and the balance between them, are finite. No one has all the money or resources they need or as much functionality or security as they want. Keep in mind, therefore, that the relationship between functionality and security is inversely proportional; that is to say, the more security in place, the less functionality, and vice versa. Also, the fewer resources a person or organization has, the less of either functionality or security they can afford. Figure 1 illustrates this careful balancing act among the three elements of functionality, security, and resources.

Figure 1

Balancing functionality, security, and resources

Security theory follows three goals, widely considered the foundations of the IT security trade: confidentiality, integrity, and availability. Security professionals work to achieve these goals in every security program and technology. These three goals inform all the data and the systems that process it. The three goals of security are called the CIA triad. Figure 2 illustrates the three goals of confidentiality, integrity, and availability.

Figure 2

The CIA triad

NOTE

The CIA triad is put into practice through various security mechanisms and controls. Every security technique, practice, and mechanism put into place to protect systems and data relates in some fashion to ensuring confidentiality, integrity, and availability.

Confidentiality

Confidentiality tries to keep unauthorized people from accessing, seeing, reading, or interacting with systems and data. Confidentiality is a characteristic met by keeping data secret from people who aren’t allowed to have it or interact with it in any way, while making sure that only those people who do have the right to access it can do so. Systems achieve confidentiality through various means, including the use of permissions to data, encryption, and so on.

Integrity

Meeting the goal of integrity requires maintaining data and systems in a pristine, unaltered state when they are stored, transmitted, processed, and received, unless the alteration is intended due to normal processing. In other words, there should be no unauthorized modification, alteration, creation, or deletion of data. Any changes to data must be done only as part of authorized transformations in normal use and processing. Integrity can be maintained by the use of a variety of checks and other mechanisms, including data checksums and comparison with known or computed data values.

Availability

Maintaining availability means ensuring that systems and data are available for authorized users to perform authorized tasks, whenever they need them. Availability bridges security and functionality, because it ensures that users have a secure, functional system at their immediate disposal. An extremely secure system that’s not functional is not available in practice. Availability is ensured in various ways, including system redundancy, data backups, business continuity, and other means.

During the course of your study, keep in mind the overall goals in IT security. First, balance three critical elements: functionality, security, and the resources available to ensure both. Second, focus on the goals of the CIA triad—confidentiality, integrity, and availability—when implementing, reviewing, managing, or troubleshooting network and system security. The book returns to these themes many times, tying new pieces of knowledge to this framework.

CompTIA Security+ Certification

The CompTIA Security+ certification has earned the reputation as the first step for anyone pursuing a career in the highly complex, highly convoluted, and still very much evolving world of IT security. Let’s start with a description of CompTIA, then look at the specifics of the certification.

CompTIA

The Computing Technology Industry Association (CompTIA) is a nonprofit, industry-wide organization of just about everyone in the IT industry. The different aspects of CompTIA’s mission include certification, education, and public policy.

As of this writing, CompTIA offers 13 vendor-neutral certifications covering a wide range of information technology areas. Examples of some of these areas and certifications include CompTIA Linux+ (focusing on the Linux operating system), CompTIA A+ (which focuses on computer technology support fundamentals), CompTIA Network+ (covering different network technologies), and, of course, CompTIA Security+.

CompTIA certifications are considered the de facto standard in the industry in some areas. Because they are vendor neutral, almost all CompTIA certifications cover basic knowledge of fundamental concepts of a particular aspect of IT. CompTIA works hard to develop exams that accurately validate knowledge that professionals must have in that area. This enables employers and others to be confident that the individual’s knowledge meets a minimum level of skill, standardized across the industry.

The CompTIA Security+ Exam

Let’s state up front that CompTIA does not have any requirements for individuals who want to take the CompTIA Security+ exam. There are no prerequisites for certification or definitive requirements for years of experience. CompTIA does have several recommendations, on the other hand, including knowledge that might be validated by other CompTIA certifications such as the CompTIA Network+ certification. In other words, the level of networking knowledge you are expected to have before you take the CompTIA Security+ exam is the level that you would have after successfully completing the CompTIA Network+ certification. Here are CompTIA’s recommendations:

• Network+ certification

• Two years of experience in IT systems administration, with a focus on security

You should have experience in several areas, such as networking knowledge, basic information security concepts, hardware, software (both operating systems and applications), cryptography, physical security, and so on. The next few sections cover specific exam objectives that you need to know.

The following table shows the six domains in the CompTIA Security+ Certification Exam Objectives document for exam SY0-601. Each of these domains has very detailed exam objectives.

Threats, Attacks, and Vulnerabilities

Domain 1.0 is all about the attacks, from malware to application attacks. It’s critical you know your keyloggers from your RATs and your buffer overflows from your cross-site scripting. In addition, you should recognize the threat actors, from script kiddies to evil governments to incompetent users. Along with the threats and attacks, you should understand different types of vulnerabilities that enable these attacks to thrive and the two main tools you use to minimize those vulnerabilities, security assessments, and penetration testing.

Architecture and Design

Domain 2.0 explores a lot of topics under its benign-sounding title. You’re expected to explain important security concepts, such as data protection, hashing, and site resiliency. The domain covers cloud models, such as infrastructure as a service (IaaS); you’ll need to summarize containers, infrastructure as code, and virtualization. In addition, this domain covers the design of secure applications and security for embedded systems.

Domain 2.0 requires you to know how to use security devices, protocols, and tools. This domain covers the frameworks that enable secure IT, the design concepts such as defense-in-depth, and benchmarks used to measure security. This domain covers technologies to defend networks, such as VLANs, screened subnets, and wireless designs. In addition, this domain covers the design of secure applications and security for embedded systems. Domain 2.0 also covers physical security controls, such as fencing and fire prevention.

Finally, domain 2.0 expects knowledge of cryptographic concepts. You’ll get questions on symmetric versus asymmetric cryptography, for example. The objectives explore public key encryption, keys, salting, hashing, and more.

Implementation

The key with domain 3.0 is in the name, Implementation. Concepts discussed in other domains get scenario-level in this domain. Domain 3.0 goes into great detail about authentication, authorization, and accounting. It expects you to know and implement authentication and the many identity and access services such as LDAP and Kerberos. The domain addresses authorization via user groups and accounts and the tools and methods used to control them. You’ll need to know how to implement secure wireless and mobile solutions, plus apply cybersecurity solutions to cloud computing. Finally, the domain expects you to understand how to implement public key infrastructure.

Operations and Incident Response

Domain 4.0 explores organizational security, such as incident response policies and procedures. You’ll need to know mitigation techniques and controls, plus practical forensic practices, such as how to acquire and handle evidence.

Governance, Risk, and Compliance

Domain 5.0 defines critical concepts in risk management, such as events, exposures, incidents, and vulnerability. You’re expected to know risk-related tools, such as business impact analysis, assessments, incident response, and disaster recovery/business continuity. You’ll need to understand the regulations, standards, and frameworks that impact operational security and explain policies that organizations use to implement security. Finally, the domain expects you to know how privacy and sensitive data use impacts security.

Getting Certified

This book covers everything you’ll need to know for CompTIA’s Security+ certification exam. The book is written in a modular fashion, with short, concise modules within each chapter devoted to specific topics and areas you’ll need to master for the exam. Each module covers specific objectives and details for the exam, as defined by CompTIA. We’ve arranged these objectives in a manner that makes fairly logical sense from a learning perspective, and we think you’ll find that arrangement will help you in learning the material.

NOTE

Throughout the book, you’ll see helpful Notes and Exam Tips. These elements offer insight on how the concepts you’ll study apply in the real world. Often, they may give you a bit more information on a topic than what is covered in the text or expected on the exam. And they may also be helpful in pointing out an area you need to focus on or important topics that you may see on the test.

End of Chapter Questions

At the end of each chapter you’ll find questions that will test your knowledge and understanding of the concepts discussed in the modules. The questions also include an answer key, with explanations of the correct answers.

Using the Exam Objective Map

The Exam Objective map included in Appendix A has been constructed to help you cross-reference the official exam objectives from CompTIA with the relevant coverage in the book. References have been provided for the exam objectives exactly as CompTIA has presented them—the module that covers that objective, the chapter, and a page reference are included.

Online Resources

The online resources that accompany this book feature the TotalTester exam software that enables you to generate a complete practice exam or quizzes by chapter or by exam domain. See Appendix B for more information.

Study Well and Live Better

We enjoyed writing this book and hope you will enjoy reading it as well. Good luck in your studies and good luck on the CompTIA Security+ exam. If you have comments, questions, or suggestions, tag us:

Mike: desweds@protonmail.com

Scott: jernigan.scott@gmail.com

CHAPTER 1

Risk Management

It seems to me that if there were any logic to our language, trust would be a four-letter word.

—Joel Goodson, Risky Business

IT security professionals walk a tight line between keeping systems safe from inside and outside threats and making resources available to people who need them. Perfectly secure systems would allow no access, right? If attackers can’t access the systems, they can’t break or steal anything. But such perfect security clearly blocks legitimate users from using resources to produce anything of value. Conversely, a wide-open system provides great access for creativity and production, but also provides access to malicious people.

Security professionals provide a space in between, with enough security to stop attackers, yet enough access to enable good people to create and produce. With risk management, security folks identify and categorize risks and then systematically put controls in place to manage those risks and thus minimize their impact on the organization. As a science, risk management uses statistics, facts, scans, and numbers to align a vision, a design for the organization. As an art, security professionals craft a plan for risk management that people will buy into and actually follow.

This chapter tours IT risk management in eight modules:

• Defining Risk

• Risk Management Concepts

• Security Controls

• Risk Assessment

• Business Impact Analysis

• Data Security and Data Protection

• Personnel Risk and Policies

• Third-Party Risk and Policies

Module 1-1: Defining Risk

This module covers the following CompTIA Security+ objectives:

• 1.2  Given a scenario, analyze potential indicators to determine the type of attack

• 1.5  Explain different threat actors, vectors, and intelligence sources

In IT security, risk implies a lot more than the term means in standard English. Let’s start with a jargon-filled definition, then examine each term in the definition. We’ll review the definition with some examples at the end of the module.

Risk is the likelihood of a threat actor taking advantage of a vulnerability by using a threat against an IT system asset.

This definition of risk includes five jargon terms that require further explanation:

• Asset

• Likelihood

• Threat actor

• Vulnerability

• Threat

Defining each jargon word or phrase relies at least a little on understanding one or more of the other jargon phrases. We’ll cover these next, and then explore two related topics, vectors and threat intelligence, to round out the concept of risk. Let’s do this.

Asset

An asset is a part of an IT infrastructure that has value. You can measure value either tangibly or intangibly. A gateway router to the Internet is an example of an asset with tangible value. If it fails, you can easily calculate the cost to replace the router.

What if that same router is the gateway to an in-house Web server? If that Web server is no longer accessible to your customers, they’re not going to be happy and might go somewhere else due to lack of good faith or goodwill. Good faith doesn’t have a measurable value; it’s an intangible asset.

Here are a few more examples of assets:

• Servers The computers that offer shared resources

• Workstations The computers that users need to do their job

• Applications Task-specific programs an organization needs to operate

• Data The stored, proprietary information an organization uses

• Personnel The people who work in an organization

• Wireless access Access to the network that doesn’t require plugging into an Ethernet port

• Internet services The public- or private-facing resources an organization provides to customers, vendors, or personnel via the Web or other Internet applications

We will cover assets in much greater detail later in this chapter.

Likelihood

Likelihood means the probability—over a defined period of time—of someone or something damaging assets. Likelihood is generally discussed in a comparative nature. Here are a couple of examples:

• The company expects many attacks on its Web server daily, but few on its internal servers. The potential for a successful attack on the Web server is much more likely than on internal servers, and thus the controls—the things put in place to protect the systems—would vary a lot.

• Hard drives will likely fail after three years, with the probability of failure rising over time. The drive could fail right out of the box, but the likelihood of failure of a drive under three years old is much lower than a drive of three or more years old.

NOTE

You will also hear the term probability as a synonym for likelihood.

Threat Actor

A threat actor is anyone or anything that has the motive and resources to attack another enterprise’s IT infrastructure. Threat actors manifest in many forms. Many folks think of a threat actor as a malicious person, such as a classic hacker bent on accessing corporate secrets. But a threat actor can take different guises as well, such as programs automated to attack at a specific date or time. A threat actor could be a respected member of an organization who has just enough access to the IT infrastructure but lacks the knowledge of what not to do. The word actor here simply means someone or something that can initiate a negative event.

The CompTIA Security+ exam covers nine specific types of threat actor:

• Hackers

• Hacktivists

• Script kiddies

• Insiders

• Competitors

• Shadow IT

• Criminal syndicates

• State actors

• Advanced persistent threat

Hackers—and more specifically security hackers—have the technical skills to gain access to computer systems. White hat hackers use their skills for good, checking for vulnerabilities and working with the full consent of the target. The malicious black hat hackers, in contrast, do not have the consent of the target. Gray hat hackers fall somewhere in the middle. They’re rarely malicious, but usually do not have the target’s consent.

EXAM TIP

The CompTIA Security+ objectives use bland and nonstandard descriptive terms for hacker types. Be prepared for either term to describe/label a hacker.

—White hat = Authorized

—Black hat = Unauthorized

—Gray hat = Semi-authorized

A hacktivist is a hacker and an activist. These threat actors have some form of agenda, often political or fueled by a sense of injustice. Hacktivism is often associated with sophisticated yet loosely associated organizations, such as Anonymous.

Save the whales!

Script kiddies are poorly skilled threat actors who take advantage of relatively easy-to-use open-source attacking tools. They get the derogatory moniker because they don’t have skills that accomplished hackers possess. Their lack of sophistication makes them notoriously easy to stop, most of the time.

Insiders (or insider threats) are people within an organization. As part of the targeted organization, these threat actors have substantial physical access and usually have user accounts that give them access to assets. In fact, the absolute best way to attack an organization is to be hired by them. You get hired; they hand you the keys to the kingdom; you’re in. Insiders are often motivated by revenge or greed, but that’s not universal. Some folks just do stupid things that cause all sorts of havoc.

Shadow IT describes information technology systems installed without the knowledge or consent of the main IT department. Almost never based on malicious intent, shadow IT springs up when users need to work around limitations imposed by IT departments for purposes of security, limitations that hamper their jobs.

Isn’t it interesting that one attribute of the two previous threat actors is that they are inside the organization? The rest of the threat actors are external to the organization.

EXAM TIP

Take the time to recognize the attributes of threat actors: internal/external, intent/motivation, resources/funding, level of sophistication/capability.

Competitors are outside organizations that try to gain access to the same customers as the targeted company. Competitors, by definition in the same business, know precisely the type of secure information they want. Organizations practice competitive intelligence gathering to get information about competitors, their customers, their business practices, and so on. The information gathered can help shape business practices.

Criminal syndicates use extra-legal methods to gain access to resources. Also known as organized crime, criminal syndicates are a huge problem today. These groups are sophisticated, are well funded, and cause tremendous damage to vulnerable systems worldwide to make money.

State actors—or nation states—refers to government-directed attacks, such as the United States sending spies into Russia. Whereas criminal syndicates commonly use threats specifically to make money, state actors take advantage of vulnerabilities to acquire intelligence. Nation states have the resources—people and money—to collect open-source intelligence (OSINT) successfully—information from media (newspapers, television), public government reports, professional and academic publications, and so forth.

State actors are easily the best funded and most sophisticated of all threat actors. State actors often use advanced persistent threats (APTs), where a threat actor gets long-term control of a compromised system, continually looking for new data to steal.

NOTE

Many state actors use criminal syndicates to conduct cyberattacks against other nation states.

Vulnerability and Threat

The terms vulnerability and threat go hand-in-hand, so it makes sense to talk about both at the same time. A vulnerability is a weakness inherent in an asset that leaves it open to a threat. A threat is an action a threat actor can use against a vulnerability to create a negative effect.

Vulnerabilities and their associated threats exist at every level of an organization. Not changing the default password on a router is a vulnerability; someone taking control of your router by using the default password is the threat. Giving a user full control to a shared folder (when that user does not need nor should have full control) is a vulnerability. That same user having the capability to delete every file in that folder is a threat.

Oh no!

Threats do not have to originate only from people or organizations. Forces of nature like earthquakes and hurricanes (a big deal here in Houston, Texas) can also be threats.

As you might imagine, dealing with threats by minimizing vulnerabilities is a core component of risk management. This chapter will develop this concept in detail.

NOTE

You will see two other terms associated with the jargon phrases covered in this section, attack and incident. An attack is when a threat actor actively attempts to take advantage of a vulnerability. When the target recognizes an attack, it is called an incident. Both attacks and incidents go beyond the concept of risk and are covered in Chapter 13.

Circling Back to the Risk Definition

Now that we have explored each jargon term in some detail, let’s look at the definition of risk again and follow it with an example.

Risk is the likelihood of a threat actor taking advantage of a vulnerability by using a threat against an IT system asset.

Here’s an example of a risk:

There’s a 15 percent chance in the next month that Sally the hacktivist will guess correctly John’s password on the important company server to gain access to secret documents.

The likelihood is 15 percent over the next month. The threat actor is Sally the hacktivist. John’s lame password is a vulnerability; the threat is that Sally will get that password and use it to access the server. The assets are both the server and the secret documents. Got it? Let’s move on.

Vectors

Threat actors use a variety of attack vectors—pathways to gain access to infrastructure—to carry out attacks. In the olden days, threat actors used floppy disks or optical media as vectors to install malware or tools. Today, the only commonly used removable media are USB thumb drives, the vector of choice for a threat actor who has physical access to a target system. Other attack vectors include the classic hacker gets into your network through your router (a.k.a. direct access), the ubiquitous vector of wireless networks (802.11, Bluetooth, cellular), and the relatively new cloud vector.

Don’t limit yourself to thinking networking when you consider vectors. Almost any application that transfers information between systems might be a vector. Threat actors can use e-mail, social media, conferencing, and even shared document applications as vectors for an attack.

Smartphones and other mobile devices and the Internet of Things (IoT) offer serious and growing attack vectors for modern organizations. Just about everyone has a smartphone with sophisticated recording—video and sound—devices built in, plus always-on connectivity to the cellular network and the Internet. Any rogue or buggy app can create a pathway into a network. IoT devices controllable from outside the network also provide a point of entry to the network. It’s a brave new world that attackers will try very hard to exploit.

The infamous Stuxnet worm that disrupted the Iranian nuclear program back in 2010 used a supply-chain vector. Threat actors (almost certainly the United States and Israel) infected printers with this worm that were then purchased by the Iranian government. This is a brutal example of a supply-chain attack.

Threat Intelligence

Cybersecurity professionals in organizations maintain and update information about past, current, and potential threats to the organization. This collection of information, called threat intelligence, helps those security professionals prepare for—and hopefully prevent—attacks on the organization.

Moreover, most security folks share information about vulnerabilities and associated threats with other professionals in the field. It’s like one big, highly paranoid family out there!

Sources for threat intelligence come from many places. Dedicated threat intelligence sources—such as vulnerability databases available on the Internet—provide a wealth of information, of course. But so do what CompTIA calls research sources—things like academic journals and social media. Security professionals dive into all of these sources to build their threat intelligence.

This section explores the types of sources available for threat intelligence gathering and provides examples. This is not an exhaustive list of specific sources—impossible and instantly outdated—but a guide to the types of sources. We’ll look at dedicated threat intelligence sources, then follow with research sources.

Threat Intelligence Sources

Dedicated threat intelligence sources enable security professionals to research potential threats to their organizations and share threats they discover with their peers. These sources reveal the past and current threats, explore potential threats by defining characteristics or signature types, and much more.

This section explores nine dedicated threat intelligence sources:

• OSINT

• Public/private information-sharing centers

• Dark Web

• Indicators of compromise

• Adversary tactics, techniques, and procedures

• Predictive analysis

• Threat maps

• File/code repositories

• Vulnerability databases

OSINT We discussed open-source intelligence (OSINT) sources earlier in this module. This category includes information gathered from media (newspapers, television), public government reports, professional and academic publications, and so forth. Security professionals rely heavily on OSINT for the big picture or the framework for the picture that can then get more specific in terms of nonpublic information layers.

Public/Private Information-Sharing Centers Motivated by the lack of coordinated information sharing between different federal organization after 9/11, the US government began a series of legislation establishing information-sharing centers, more commonly called Information Sharing and Analysis Centers (ISACs). Originally designed as government-based public entities just in the United States, most countries now have public ISACs as well as many private ISACs. ISACs communicate via Automated Indicator Sharing (AIS) tools to update each other’s databases automatically.

The US Department of Homeland Security (DHS) sponsors several specifications for facilitating cybersecurity information sharing. Trusted Automated eXchange of Intelligence Information (TAXII) enables information sharing through services and message exchanges. TAXII provides transport for threat information exchange. Structured Threat Information eXpression (STIX) enables communication among organizations by providing a common language to represent information. Cyber Observable eXpression (CybOX) provides standardized specifications for communicating about cybersecurity phenomenon and elements, from malware types to event logging. DHS has made these specifications available globally for free.

EXAM TIP

You might see a question on the CompTIA Security+ exam about DHS-sponsored specifications for cybersecurity information sharing. Only TAXII and STIX are in the objectives, though. CybOX is not mentioned.

Dark Web The Dark Web refers to Internet sites that are inaccessible without using specific applications such as the Tor network. Dark Web sites run the gamut from illegal drug sales to terrorist groups to interesting puzzles, with just about everything in between (Figure 1-1). Dark Web sites are dark because search engines, like Google, don’t index them. You can’t find these sites with a typical Internet search, in other words, but they function just like any other Web site.

Figure 1-1 A sketchy site on the Dark Web

The Dark Web can provide a lot of important information, especially about criminal activity through sting operations conducted by law enforcement agents posing as Dark Web site visitors interested in engaging in illegal transactions. Plus, a lot of Dark Web sites offer highly entertaining, completely legal content. It’s the Wild West, so take care if (when) you venture in.

Indicators of Compromise It’s almost impossible for a threat actor to attack a system and not leave behind clues of the actor’s presence. An IT security person must recognize the artifact of an intrusion, known as an indicator of compromise (IoC). IoCs take on many forms. A sudden increase in outgoing network traffic, malware signatures, strange changes in file permissions—all of these are examples of IoCs. IoCs feature as key evidence collected in forensic investigations.

Recognizing IoCs enables cybersecurity professionals to monitor networks and provide threat monitoring tools as threat feeds—real-time data streams to recognize threats. Threat feeds work with internal networks as well as outside networks.

Adversary Tactics, Techniques, and Procedures The term adversary tactics, techniques, and procedures (TTP) describes the actions of threat actors to gain access to your infrastructure. A tactic is the goal of the attacker, such as to gain initial access to a network or system. A technique is how the attacker implements that tactic, such as using a valid account or finding a weakness in your supply chain to gain initial access. A procedure is precisely how the attacker performs the technique; for example, watching a user’s keyboard as the user enters an account password.

The MITRE ATT&CK framework incorporates TTP, breaking tactics into a dozen or so categories and providing common techniques associated with those tactics. Check it out here: https://attack.mitre.org.

EXAM TIP

CompTIA places threat feeds and TTP as types of research sources, but many researchers consider them part of dedicated threat intelligence sources. Either way, the key for the exam is that both sources enable you to enhance threat intelligence.

Predictive Analysis Every IT security professional could use a crystal ball enabling him or her to know an incident is about to take place. That’s the world of predictive analysis: using software, often artificial intelligence, to look for trends to anticipate any upcoming problems. Predictive analysis isn’t perfect for every aspect of IT security, but for issues like hardware failure prediction and network loads, predictive analysis is a powerful tool.

NOTE

Check out the Predictive Analytics portal at CIO for the latest news on the subject: https://www.cio.com/category/predictive-analytics/.

Threat Maps Threat maps are graphical representations of the geographical source and target of attacks (Figure 1-2). Threat maps are certainly pretty, but they aren’t real time and they lack any form of deep detail about the attacks. They work well for presentations, especially to show broader trends.

Figure 1-2 Cyber Threat Map from FireEye

File/Code Repositories A repository is a storage area for data files or code. Unlike archive data, repository data/code is stored in such a way that the data/code is sorted or indexed based on certain information pertinent to that data or code. Log files for an entire network over a certain number of years is one example of a file repository. Code repositories are a different matter. These are used by developers to produce and control code development. It’s rare to find anything written these days that doesn’t use a code repository like GitLab (Figure 1-3).

Figure 1-3 GitLab

EXAM TIP

CompTIA lumps file and code repositories into a single term, file/code repositories.

Vulnerability Databases The IT industry aggressively looks for vulnerabilities and their associated threats. Many governments and organizations host vulnerability databases, collections of all the known problem areas or weaknesses in deployed software. One of the most important vulnerability databases in the United States is the National Institute of Standards and Technology’s National Vulnerability Database (Figure 1-4).

Figure 1-4 NIST National Vulnerability Database

Another great source for vulnerabilities is the Common Vulnerabilities and Exposures (CVE) list provided by MITRE Corporation: https://cve.mitre.org.

Also, check out the open-source, community-driven vulnerability database, VULDB: https://vuldb.com.

There are a lot more vulnerability databases out there, but these three should get you started.

NOTE

CompTIA’s division between research sources and threat intelligence sources is somewhat arbitrary. In practice, these two areas overlap.

Research Sources

Research sources aren’t devoted exclusively to the idea of threat intelligence, but they’re always good places to look for problems in a more generic way. Whether you’re just checking a vendor forum or chatting at a conference, if security issues are out there, they’re always a hot topic. This section looks at seven common research sources:

• Vendor Web sites

• Vulnerability feeds

• Conferences

• Academic journals

• Requests for comments

• Local industry groups

• Social media

If you want to know anything about a product, go directly to the vendor Web site to do some good research (Figure 1-5). Who else knows more about a product (hopefully) than the vendor who makes or sells it? Find a support forum and dig in!

Figure 1-5 Advanced networking device manufacturer Juniper’s support forums

If you want to stay on the bleeding edge of vulnerabilities and you want them basically delivered to you, vulnerability feeds make your research easy (easier) by delivering RSS feeds, tweets, social media posts, or other methods to let you see what’s out there. There are hundreds of these types of feeds. The NVD, mentioned earlier, has a great feed.

Get out there and hit some conferences! There are plenty of great conferences at the regional, national, and international level. Every IT security person should make a trip to the famous Black Hat conference, held annually in Las Vegas and in other locations internationally (such as Black Hat Europe and Black Hat Asia).

Reading academic journals is the ultimate egghead research path, but many vulnerabilities are first brought to public attention using journals. The only challenge to reading about vulnerabilities in academic journals is that the articles often only discuss a theoretical vulnerability without showing how to do it (in many cases, someone usually does create a practical attack after an article is published).

Requests for comments (RFCs) started as the original ARPANET documents that literally defined the Internet. While this is still true, RFCs evolved to cover every aspect of TCP/IP communication and are issued by Internet Engineering Task Force (IETF), the Internet Research Task Force (IRTF), and the Internet Architecture Board (IAB). If you want the gritty details on any technology that is part of TCP/IP communications, RFCs are the place to go (Figure 1-6). All RFCs are public and can be accessed via www.rfc-editor.org.

Figure 1-6 RFC for HTTPS

Many security issues are industry specific, so joining local industry groups is almost always the best way to connect with the folks who deal with similar issues in your industry. These are often the only reliable source for industry-specific or closed/proprietary information. Search in your area for a local Information Systems Security Association International (ISSA) chapter. They’re super good: https://issa.org.

Virtually every company or organization that provides hardware, software, services, or applications has some form of bug bounty program. These programs reward people who report vulnerabilities with money, swag, and acclaim (Figure 1-7). Before you get too excited and start hacking your favorite (fill in the blank), know that all of these programs have very specific scopes and parameters. Going beyond the scope could get you in serious legal trouble. Look before you leap! And get permission before you start.

Figure 1-7 Facebook vulnerability reporting

Social media, such as Twitter and Reddit, provide a wealth of threat intelligence sources. Numerous Twitter feeds are dedicated to cybersecurity. Check out @Dejan_Kosutic—for hourly updates. The r/threatintel subreddit, while not quite as hyperactive as the Twitter feeds, has some great information as well. IT security professionals use a lot of tools to combat risk. These tools get lumped together under the term risk management. Primarily, the tools reduce the impact of—mitigate—threats posed to an organization. Module 1-2 explores risk management concepts; later modules expand on the toolsets available. Let’s leave Module 1-1 with a definition of the job of an IT security professional:

IT security professionals implement risk management techniques and practices to mitigate threats to their organizations.

Module 1-2: Risk Management Concepts

This module covers the following CompTIA Security+ objectives:

• 5.2  Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture

• 5.3  Explain the importance of policies to organizational security

Module 1-1 ended with a pithy job description: IT security professionals implement risk management techniques and practices to mitigate threats to their organizations. To get to the implement stage requires knowledge, naturally, and the term risk management is loaded with meaning. This module explores four aspects of risk management: infrastructure, security controls, risk management frameworks, and industry-standard frameworks and reference architectures. Later modules build on this information to get you to the implement step.

The term security posture (or cybersecurity posture) refers to the security status of every aspect of an organization. That includes the security of networks, systems, physical property, and intellectual property, plus all the systems, policies, and controls that implement that security. Security posture includes external entities that affect the organization, such as partners, vendors, and the supply chain. This module takes some of the theory and concepts from Module 1-1 and begins the journey to understanding the security posture.

Infrastructure

In IT risk management, the term infrastructure applies to just about every aspect of an organization, from the organization itself to its computers, networks, employees, physical security, and sometimes third-party access.

Organization

At its most basic, an organization is who you work for: your company, your corporation, your nonprofit, your governmental department. These are good potential examples of an organization, but in some cases, you might need more details. A single organization, for example, might look like a collection of smaller organizations in terms of risk management (Figure 1-8).

Figure 1-8 What’s your organization?

The big difference here is how autonomous your IT management is in relation to the overall organization. The more decisions the main organization lets a smaller group handle, the more the smaller group should look at itself as an organization. A smaller organization might be a single physical location in a different city or perhaps a different country. It might be a division of a corporation, or a regional governmental agency.

NOTE

A quick way to determine the scope of any IT infrastructure is to identify the bigwigs. A single IT infrastructure should never have more than one chief security officer, for example.

Systems

Computers and network equipment are part of an IT infrastructure, but there are many more components. People matter, such as IT managers, IT techs, human resources, chief security officer, chief information officer, and legal staff; even individual users are part of the IT infrastructure. See Figure 1-9.

Figure 1-9 We are your infrastructure.

Physical Security

Physical security is also an important part of an IT infrastructure. Fences, cameras, and guards protect your infrastructure just as well as they protect the rest of your organization. We’ll cover physical security in Chapter 7, Module 7-8.

Third-Party Access

Third parties that your organization contracts with are part of your IT infrastructure. Does your organization have an intranet that enables suppliers to access your equipment? Then those suppliers are part of your IT infrastructure. Have a maintenance contract on all your laser printers? There’s another part of your infrastructure. The company that hosts all your Web servers? Yes, they are part of your IT infrastructure as well. We’ll cover third-party access in Module 1-8.

Security Controls

The action of strengthening a vulnerability to reduce or eliminate the threat is called a security control. A security control is a directed action you place on some part of your infrastructure. Security controls don’t say how to perform the steps needed to mitigate a threat, only that they must be performed.

Here is an example of a security control in the NIST Special Publication 800-53 (Rev. 4).

IA-5 Authenticator Management

Control Description

The organization manages information system authenticators by:

a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

b. Establishing initial authenticator content for authenticators defined by the organization;

c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

Plus about seven other points that collectively make up the security control.

You don’t have to know what all of that means yet, but do note that the controls are guidelines, not specific implementation steps. Steps required to implement the controls will vary among operating systems and network systems. The bottom line for your job as a security professional is to locate vulnerabilities and apply security controls. It’s what we do.

NOTE

The security control listed here comes from the NIST NVD in case you want to look it up: https://nvd.nist.gov/800-53/Rev4/control/IA-5.

As you might imagine, the typical infrastructure probably has thousands, if not tens of thousands, of security controls that need to be applied. How does a lone IT security pro create this list of controls? The answer is, you don’t. You use a bit of magic called a risk management framework.

Risk Management Frameworks

A framework is a description of a complex process, concentrating on major steps and the flows between the steps. A risk management framework (RMF) describes the major steps and flows of the complex process of applying security controls in an organized and controlled fashion.

EXAM TIP

The CompTIA Security+ 601 objectives use the term key frameworks as an umbrella term for the various risk management frameworks discussed in this module. That’s an objectives organizational term rather than an industry term.

One popular RMF is the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). See Figure 1-10. This RMF is described in NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Originally designed as an RMF expressly for US federal organizations, the NIST RMF has been adopted as the de facto RMF by many in the IT security industry.

Figure 1-10 NIST RMF from NIST.SP.800-37r2 .pdf

The NIST RMF isn’t the only well-known framework. NIST RMF was originally designed only for government agencies (although the latest version of RMF changed its name from Federal Information Systems to Information Systems and Organizations). Not too many years after developing the NIST RMF, NIST introduced the NIST Cybersecurity Framework (CSF), geared more towards private industry. The NIST CSF is a similar, less comprehensive framework than the NIST RMF.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 is the international standard for best-practice information security management systems (ISMS), roughly like the NIST RMF. ISO/IEC 27002 is the international standard to help organizations enumerate—list, define—their security controls. ISO/IEC 27002 lists categories of security controls, not actual individual controls. ISO/IEC 27701 extends the ISO/IEC 27001 standard to address personal information and privacy issues.

NOTE

ISO 27001 and 27002 are certainly frameworks, but think of them more as frameworks with teeth! The EU can selectively choose to require organizations to use these frameworks as a compliance check, making them more of a standard than a simple recommendation like the NIST’s publications.

ISO 31000 provides a broad, higher-level, and less technical overview of risk management concepts and tools to implement risk management frameworks from the executive